ARP Poisoning and Flood attack in SDN

Published: 7 April 2022| Version 2 | DOI: 10.17632/yxzh9fbvbj.2
Nisha Ahuja, Gaurav Singal, Debajyoti Mukhopadhyay


It is a SDN specific data set generated by using mininet emulator and used for traffic classification by machine learning and deep learning algorithms. A tree topology with depth and fanout value of three is emulated in Mininet and used for experimental purpose. Total 27 host and 13 switches are connected to a single Ryu controller. Network simulation runs for benign and attack traffic where attack traffic is a collection of ARP Poison and ARP flood attack.


Steps to reproduce

Total 15 features are available in the data set which includes switch-id, in_port, out_port, src_mac_eth, dest_mac_eth which is Source and Destination MAC address at ethernet layer, src_mac_arp, dest_mac_arp which is Source and Destination MAC address at ARP layer, Source IP, Destination IP, operation-code which is divided into four types (1-ARP request, 2-ARP reply, 3-ICMP request, 4-ICMP reply), number of Packet_in messages generated during the traffic transmission, Protocol which specify 0 for ARP and 1 for ICMP, Pkt loss which specify the loss of packets during traffic transmission, rtt (avg) specify the average round trip time, total_time which specify the total time for the entire ping operation which also includes the delay time. Last column indicates the class label which indicates whether the traffic type is benign or malicious. Benign traffic has label 0 and malicious traffic has label 1 or 2 depending upon ARP Poison traffic has label 1 and ARP flood traffic has label 2. Network simulation is run for 250 minutes and 1,04,345 rows of data is collected. Network simulation is run for 300 minutes and 1,34,000 rows of data is collected. The simulation is run for defined interval again and more data can be collected. The data is generated by taking the log of benign traffic and attack traffic. The attack traffic comprised of ARP Poison and ARP flood attacks. So, in total there are three classes (benign, ARP poison and ARP flood attack) traffic present in the dataset. This dataset can be used with any Machine learning model for traffic classification.


Bennett University


Network Security